The announced ASP.NET vulnerability (Microsoft Security Advisory (2416728) from Microsoft is also affecting Exchange Server. The Exchange Team has tested the patch for this vulnerability and has approved it and it’s recommended to apply this to your Exchange servers as soon as possible.
The Exchange Server team has completed validation of this fix against Microsoft Exchange Server 2010, 2007 and 2003 and we are pleased to report that we have not identified any issues related to the application of this patch on an Exchange Server.
We recommend that Exchange customers consider applying this fix to all of their Exchange Servers which have an affected version of ASP.NET installed on the underlying Operating System in a timely manner to help protect against any attempts to exploit this vulnerability within their environment.
Details of the fix and its application, along with download links can be found here:
Microsoft Security Bulletin MS10-070 – Important: Vulnerability in ASP.NET Could Allow Information Disclosure (2418042)
For more information and direct download links, read Scott Guthrie’s blog post: ASP.NET Security Update Now Available